This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-05-16T11:54:45+00:00 www.secnews.physaphae.fr Mandiant - Blog Sécu de Mandiant   Executive Summary The election cybersecurity landscape globally is characterized by a diversity of targets, tactics, and threats. Elections attract threat activity from a variety of threat actors including: state-sponsored actors, cyber criminals, hacktivists, insiders, and information operations as-a-service entities. Mandiant assesses with high confidence that state-sponsored actors pose the most serious cybersecurity risk to elections. Operations targeting election-related infrastructure can combine cyber intrusion activity, disruptive and destructive capabilities, and information operations, which include elements of public-facing advertisement and amplification of threat activity claims. Successful targeting does not automatically translate to high impact. Many threat actors have struggled to influence or achieve significant effects, despite their best efforts.  When we look across the globe we find that the attack surface of an election involves a wide variety of entities beyond voting machines and voter registries. In fact, our observations of past cycles indicate that cyber operations target the major players involved in campaigning, political parties, news and social media more frequently than actual election infrastructure.   Securing elections requires a comprehensive understanding of many types of threats and tactics, from distributed denial of service (DDoS) to data theft to deepfakes, that are likely to impact elections in 2024. It is vital to understand the variety of relevant threat vectors and how they relate, and to ensure mitigation strategies are in place to address the full scope of potential activity.  Election organizations should consider steps to harden infrastructure against common attacks, and utilize account security tools such as Google\'s Advanced Protection Program to protect high-risk accounts. Introduction  The 2024 global election cybersecurity landscape is characterized by a diversity of targets, tactics, and threats. An expansive ecosystem of systems, administrators, campaign infrastructure, and public communications venues must be secured against a diverse array of operators and methods. Any election cybersecurity strategy should begin with a survey of the threat landscape to build a more proactive and tailored security posture.  The cybersecurity community must keep pace as more than two billion voters are expected to head to the polls in 2024. With elections in more than an estimated 50 countries, there is an opportunity to dynamically track how threats to democracy evolve. Understanding how threats are targeting one country will enable us to better anticipate and prepare for upcoming elections globally. At the same time, we must also appreciate the unique context of different countries. Election threats to South Africa, India, and the United States will inevitably differ in some regard. In either case, there is an opportunity for us to prepare with the advantage of intelligence.  ]]> 2024-04-25T10:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-global-elections/ www.secnews.physaphae.fr/article.php?IdArticle=8500393 False Ransomware,Malware,Hack,Tool,Vulnerability,Threat,Legislation,Cloud,Technical APT 43,APT 29,APT 31,APT 42,APT 28,APT 40 None Checkpoint Research - Fabricant Materiel Securite Pour les dernières découvertes de cyber-recherche pour la semaine du 1er avril, veuillez télécharger notre bulletin Threat_Intelligence.Les meilleures attaques et violations que les gouvernements américains et britanniques ont annoncé un acte d'accusation criminel et des sanctions contre l'APT31, un groupe de pirates chinois, pour leur rôle dans les attaques prétendument contre des entreprises aux États-Unis, ainsi que [& # 8230;]

---

>For the latest discoveries in cyber research for the week of 1st April, please download our Threat_Intelligence Bulletin. TOP ATTACKS AND BREACHES The US and UK governments have announced a criminal indictment and sanctions against APT31, a group of Chinese hackers, for their role in allegedly conducting attacks against companies in the US, as well […] ]]> 2024-04-01T08:18:43+00:00 https://research.checkpoint.com/2024/1st-april-threat-intelligence-report/ www.secnews.physaphae.fr/article.php?IdArticle=8473934 False Threat APT 31 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The Police of Finland (aka Poliisi) has formally accused a Chinese nation-state actor tracked as APT31 for orchestrating a cyber attack targeting the country\'s Parliament in 2020. The intrusion, per the authorities, is said to have occurred between fall 2020 and early 2021. The agency described the ongoing criminal probe as both demanding and time-consuming, involving extensive analysis of a "]]> 2024-03-28T22:20:00+00:00 https://thehackernews.com/2024/03/finland-blames-chinese-hacking-group.html www.secnews.physaphae.fr/article.php?IdArticle=8472126 False Legislation APT 31 3.0000000000000000 Bleeping Computer - Magazine Américain The Finnish Police confirmed on Tuesday that the APT31 hacking group linked to the Chinese Ministry of State Security (MSS) was behind a breach of the country\'s parliament disclosed in March 2021. [...]]]> 2024-03-26T17:23:54+00:00 https://www.bleepingcomputer.com/news/security/finland-confirms-apt31-hackers-behind-2021-parliament-breach/ www.secnews.physaphae.fr/article.php?IdArticle=8471001 False Legislation APT 31 3.0000000000000000 Checkpoint - Fabricant Materiel Securite lundi, l'administration Biden a annoncé un acte d'accusation criminel et des sanctions contre un groupe de pirates chinois pour leur rôle dans la conduite prétendument des hacks contre les entreprises aux États-Unis, ainsi que des représentants du gouvernement.Le gouvernement américain a inculpé sept pirates, du groupe connu sous le nom d'APT31;Dans une décision connexe, le gouvernement britannique a annoncé des sanctions contre une entreprise de front, ainsi que deux personnes en lien avec une violation à la Commission électorale du Royaume-Uni.Le gouvernement américain a noté que le groupe avait passé environ 14 ans à cibler les entreprises américaines et étrangères et les responsables politiques.«Aujourd'hui, les gouvernements du Royaume-Uni et des États-Unis [& # 8230;]

---

>On Monday, the Biden administration announced a criminal indictment and sanctions against a group of Chinese hackers for their role in allegedly conducting hacks against companies in the US, as well as government officials. The US government charged seven hackers, from the group known as APT31; in a related move, the British government announced sanctions on a front company, as well as two individuals in connection with a breach at the UK\'s Electoral Commission. The US government noted that the group spent about 14 years targeting US and foreign businesses and political officials. “Today both the UK and US governments […] ]]> 2024-03-26T14:57:51+00:00 https://blog.checkpoint.com/security/us-and-uk-governments-take-stand-against-apt31-state-affiliated-hacking-group/ www.secnews.physaphae.fr/article.php?IdArticle=8470789 False None APT 31 3.0000000000000000 Dark Reading - Informationweek Branch The US and the UK charge seven Chinese nationals for operating as part of threat group APT31.]]> 2024-03-25T21:20:40+00:00 https://www.darkreading.com/cyber-risk/chinese-state-hackers-slapped-with-us-charges-sanctions www.secnews.physaphae.fr/article.php?IdArticle=8470383 False Threat APT 31 3.0000000000000000 SecurityWeek - Security News Le Département du Trésor américain sanctionne une paire de pirates chinois liés à des «cyber-opérations malveillantes ciblant les secteurs des infrastructures critiques».

---

>The US Treasury Department sanctions a pair of Chinese hackers linked to “malicious cyber operations targeting US critical infrastructure sectors.” ]]> 2024-03-25T18:50:17+00:00 https://www.securityweek.com/us-treasury-slaps-sanctions-on-china-linked-apt31-hackers/ www.secnews.physaphae.fr/article.php?IdArticle=8470303 False None APT 31 2.0000000000000000 Recorded Future - FLux Recorded Future Les États-Unis ont sanctionné une société basée à Wuhan qui serait un front pour le ministère d'État de la Sécurité de la Chine lundi à la suite de dizaines d'attaques contre des infrastructures critiques. & NBSP;Les départements de la justice et du trésor ont accusé Wuhan Xiaoruizhi Science and Technology Company d'être une couverture pour APT31 - un groupe de piratage basé en Chine connu pour son ciblage précédemment

---

The U.S. sanctioned a Wuhan-based company believed to be a front for China\'s Ministry of State Security on Monday following dozens of attacks on critical infrastructure.  The Justice and Treasury Departments accused Wuhan Xiaoruizhi Science and Technology Company of being a cover for APT31 - a notorious China-based hacking group known for previously targeting]]> 2024-03-25T17:50:21+00:00 https://therecord.media/us-sanctions-chinese-hackers-infrastructure-attacks www.secnews.physaphae.fr/article.php?IdArticle=8470278 False None APT 31 2.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine The UK\'s NCSC assesses that China-backed APT31 was “almost certainly” responsible for hacking the email accounts of UK parliamentarians]]> 2024-03-25T15:50:00+00:00 https://www.infosecurity-magazine.com/news/uk-blames-china-for-2021-electoral/ www.secnews.physaphae.fr/article.php?IdArticle=8470233 False Hack APT 31 2.0000000000000000 AhnLab - Korean Security Firm août 2023 Problèmes majeurs sur les groupes de l'APT 1) Andariel 2) APT29 3) APT31 4) amer 5)Bronze Starlight 6) Callisto 7) Cardinbee 8) Typhoon de charbon de bois (Redhotel) 9) Terre estrie 10) Typhon de lin 11) Groundpeony 12) Chisel infâme 13) Kimsuky 14) Lazarus 15)Moustachedbouncher 16) Éléphant mystérieux (APT-K-47) 17) Nobelium (Blizzard de minuit) 18) Red Eyes (APT37) Aug_Thereat Trend Rapport sur les groupes APT

---

August 2023 Major Issues on APT Groups 1) Andariel 2) APT29 3) APT31 4) Bitter 5) Bronze Starlight 6) Callisto 7) Carderbee 8) Charcoal Typhoon (RedHotel) 9) Earth Estries 10) Flax Typhoon 11) GroundPeony 12) Infamous Chisel 13) Kimsuky 14) Lazarus 15) MoustachedBouncher 16) Mysterious Elephant (APT-K-47) 17) Nobelium (Midnight Blizzard) 18) Red Eyes (APT37) Aug_Threat Trend Report on APT Groups ]]> 2023-10-23T02:22:16+00:00 https://asec.ahnlab.com/en/57930/ www.secnews.physaphae.fr/article.php?IdArticle=8399124 False Threat,Prediction APT 38,APT 38,APT 29,APT 37,APT 31 3.0000000000000000 AhnLab - Korean Security Firm juillet 2023 Problèmes majeurs sur les groupes APT 1) APT28 2) APT29 3) APT31 4) Camouflaged Hunter 5) Chicheur charmant 6) Gamaredon 7) Kimsuky 8) Konni 9) Lazarus 10) Mustang Panda 11) Patchwork 12) Eyes rouges 13) Pirates d'espace 14) Turla 15) ATIP_2023_JUL_JULAT RAPPORT D'APTER LE Rapport sur les APT

---

July 2023 Major Issues on APT Groups 1) APT28 2) APT29 3) APT31 4) Camouflaged Hunter 5) Charming Kitten 6) Gamaredon 7) Kimsuky 8) Konni 9) Lazarus 10) Mustang Panda 11) Patchwork 12) Red Eyes 13) Space Pirates 14) Turla 15) Unclassified ATIP_2023_Jul_Threat Trend Report on APT Groups ]]> 2023-09-11T05:02:48+00:00 https://asec.ahnlab.com/en/56971/ www.secnews.physaphae.fr/article.php?IdArticle=8381128 False Threat,Prediction APT 38,APT 35,APT 35,APT 29,APT 29,APT 37,APT 37,APT 31,APT 28,APT 28 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The Chinese threat actor known as APT31 (aka Bronze Vinewood, Judgement Panda, or Violet Typhoon) has been linked to a set of advanced backdoors that are capable of exfiltrating harvested sensitive information to Dropbox. The malware is part of a broader collection of more than 15 implants that have been put to use by the adversary in attacks targeting industrial organizations in Eastern Europe]]> 2023-08-11T15:42:00+00:00 https://thehackernews.com/2023/08/researchers-shed-light-on-apt31s.html www.secnews.physaphae.fr/article.php?IdArticle=8368885 False Malware,Threat,Industrial APT 31,APT 31 2.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine Kaspersky published the third installment of their investigation on this campaign earlier today]]> 2023-08-10T16:00:00+00:00 https://www.infosecurity-magazine.com/news/apt31-linked-attacks-eastern-europe/ www.secnews.physaphae.fr/article.php?IdArticle=8368430 False Industrial APT 31,APT 31 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) A nation-state actor with links to China is suspected of being behind a series of attacks against industrial organizations in Eastern Europe that took place last year to siphon data stored on air-gapped systems. Cybersecurity company Kaspersky attributed the intrusions with medium to high confidence to a hacking crew called APT31, which is also tracked under the monikers Bronze Vinewood,]]> 2023-08-01T14:31:00+00:00 https://thehackernews.com/2023/08/chinas-apt31-suspected-in-attacks-on.html www.secnews.physaphae.fr/article.php?IdArticle=8364217 False Industrial APT 31 2.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine The attackers established a channel for data exfiltration, including from air-gapped systems]]> 2023-07-31T17:30:00+00:00 https://www.infosecurity-magazine.com/news/apt31-target-industrial-firms/ www.secnews.physaphae.fr/article.php?IdArticle=8363967 False Industrial APT 31 2.0000000000000000 AhnLab - Korean Security Firm Rekoobe est une porte dérobée connue pour être utilisée par APT31, un groupe de menaces basé en Chine.Ahnlab Security Emergency Response Center (ASEC) reçoit des rapports sur les logiciels malveillants Rekoobe des locataires en Corée depuis plusieurs années et partagera par la présente sa brève analyse.De plus, les variantes de Rekoobe seront classées avec un résumé de celles utilisées pour cibler les entreprises coréennes.1. La vue d'ensemble Rekoobe est une porte dérobée qui cible les environnements Linux.Il a été découvert pour la première fois en 2015, [1] ...

---

Rekoobe is a backdoor known to be used by APT31, a threat group based in China. AhnLab Security Emergency Response Center (ASEC) has been receiving reports of the Rekoobe malware from tenants in Korea for several years, and will hereby share its brief analysis. Additionally, the Rekoobe variants will be categorized along with a summary of the ones used to target Korean companies. 1. Overview Rekoobe is a backdoor that targets Linux environments. It was first discovered in 2015, [1]... ]]> 2023-07-10T23:30:00+00:00 https://asec.ahnlab.com/en/55229/ www.secnews.physaphae.fr/article.php?IdArticle=8354290 False Malware,Threat APT 31 2.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine 2023-02-17T17:00:00+00:00 https://www.infosecurity-magazine.com/news/eu-warns-chinese-apts/ www.secnews.physaphae.fr/article.php?IdArticle=8311285 False None APT 25,APT 31,APT 15,APT 27,APT 30 2.0000000000000000 SecurityWeek - Security News 2022-07-20T08:37:31+00:00 https://www.securityweek.com/belgium-says-chinese-apts-targeted-interior-defense-ministries www.secnews.physaphae.fr/article.php?IdArticle=5828610 False None APT 31,APT 27,APT 30 None Security Affairs - Blog Secu 2022-03-09T21:09:28+00:00 https://securityaffairs.co/wordpress/128861/apt/google-blocked-apt31-attacks.html?utm_source=rss&utm_medium=rss&utm_campaign=google-blocked-apt31-attacks www.secnews.physaphae.fr/article.php?IdArticle=4251239 True None APT 31 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence NSW Government Casual Recruiter Suffers Ransomware Hit (published: December 17, 2021) Finite Recruitment suffered a ransomware attack during the month of October 2021, resulting in the exfiltration of some data. Their incident responders (IR) identified the ransomware as Conti, a fast encrypting ransomware commonly attributed to the cybercriminal group Wizard Spider. The exfiltrated data was published on the dark web, however the firm remains fully operational, and affected customers are being informed. Analyst Comment: Always check to see if there is a decryptor available for the ransomware before considering payment. Enforce a strong backup policy to ensure that data is recoverable in the event of encryption or loss. MITRE ATT&CK: [MITRE ATT&CK] Scheduled Transfer - T1029 Tags: Conti, Wizard Spider, Ransomware, Banking and Finance Phorpiex botnet is back with a new Twizt: Hijacking Hundreds of crypto transactions (published: December 16, 2021) Check Point Research has uncovered a new variant of the Phorpiex botnet named Twizt. Historically, Phorpiex utilized sextortion, ransomware delivery, and cryptocurrency clipping. Twizt however, appears to be primarily focused on stealing cryptocurrency and have stolen half a million dollars since November 2020 in the form of Bitcoin, Ether and ERC20 tokens.The botnet features departure from it’s traditional command and control (C2) infrastructure, opting for peer-to-peer (P2P) communications between infected hosts, eliminating the need for C2 communication as each host can fulfill that role. Analyst Comment: Bots within a P2P network need to communicate regularly with other bots to receive and share commands. If the infected bots are on a private network, private IP addresses will be used. Therefore, careful monitoring of network traffic will reveal suspicious activity, and a spike in network resource usage as opposed to the detection of C2 IP addresses. MITRE ATT&CK: [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Clipboard Data - T1115 Tags: Phorpiex, Twizt, Russia, Banking and Finance, Cryptocurrency, Bitcoin ‘PseudoManuscrypt’ Mass Spyware Campaign Targets 35K Systems (published: December 16, 2021) Kaspersky researchers have documented a spyware that has targeted 195 countries as of December 2021. The spyware, named PseudoManuscrypt, was developed and deployed by Lazarus Group ]]> 2021-12-21T16:57:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-pseudomanuscrypt-mass-spyware-campaign-targets-35k-systems-apt31-intrusion-set-campaign-description-countermeasures-and-code-state-sponsored-hackers-abuse-slack-api-to-steal www.secnews.physaphae.fr/article.php?IdArticle=3841167 False Ransomware,Malware,Vulnerability,Threat,Guideline,Medical APT 38,APT 31,APT 28,APT 41 None Security Affairs - Blog Secu 2021-08-04T15:25:01+00:00 https://securityaffairs.co/wordpress/120796/apt/china-linked-apt31-targets-russia-for-the-first-time.html?utm_source=rss&utm_medium=rss&utm_campaign=china-linked-apt31-targets-russia-for-the-first-time www.secnews.physaphae.fr/article.php?IdArticle=3172502 False Malware APT 31 None SecurityWeek - Security News 2021-08-04T12:03:07+00:00 http://feedproxy.google.com/~r/securityweek/~3/7vp2LzKnE0E/chinese-cyberspy-group-apt31-starts-targeting-russia www.secnews.physaphae.fr/article.php?IdArticle=3171665 False Malware APT 31 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2021-08-04T03:28:13+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/SfZ4rX3mo-s/new-chinese-spyware-being-used-in.html www.secnews.physaphae.fr/article.php?IdArticle=3170833 False Threat APT 31 None UnderNews - Site de news "pirate" francais Cybereason pointe les acteurs de la menace chinois qui compromettent des opérateurs télécoms en Asie du Sud-Est (et ailleurs ?) first appeared on UnderNews.]]> 2021-08-03T14:13:41+00:00 https://www.undernews.fr/hacking-hacktivisme/cybereason-pointe-les-acteurs-de-la-menace-chinois-qui-compromettent-des-operateurs-telecoms-en-asie-du-sud-est-et-ailleurs.html www.secnews.physaphae.fr/article.php?IdArticle=3166882 False None APT 31 None UnderNews - Site de news "pirate" francais Attaques APT31 – réaction de Kaspersky first appeared on UnderNews.]]> 2021-07-31T10:10:28+00:00 https://www.undernews.fr/hacking-hacktivisme/attaques-apt31-reaction-de-kaspersky.html www.secnews.physaphae.fr/article.php?IdArticle=3155066 False None APT 31 None Kaspersky - Kaspersky Research blog 2021-07-29T10:00:46+00:00 https://securelist.com/apt-trends-report-q2-2021/103517/ www.secnews.physaphae.fr/article.php?IdArticle=3147332 False Threat APT 29,APT 31 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Windows “PetitPotam” Network Attack – How to Protect Against It (published: July 21, 2021) Microsoft has released mitigations for a new Windows vulnerability called PetitPotam. Security researcher, Gillesl Lionel, created a proof-of-concept script that abuses Microsoft’s NT Lan Manager (NTLM) protocol called MS-EFSRPC (encrypting file system remote protocol). PetitPotam can only work if certain system functions that are enabled if the following conditions are met: NTLM authentication is enabled on domain, active directory certificate services (AD CS) is being used, certificate authority web enrollment or certificate enrollment we service are enabled. Exploitation can result in a NTLM relay attack, which is a type of man-in-the-middle attack. Analyst Comment: Microsoft has provided mitigation steps to this attack which includes disabling NTLM on a potentially affected domain, in addition to others. Tags: Vulnerability, Microsoft, PetitPotam, Man-in-the-middle APT31 Modus Operandi Attack Campaign Targeting France (published: July 21, 2021) The French cybersecurity watchdog, ANSSII issued an alert via France computer emergency response team (CERT) discussing attacks targeting multiple French entities. The China-sponsored, advanced persistent threat (APT) group APT31 (Judgment Panda, Zirconium) has been attributed to this ongoing activity. The group was observed using “a network of compromised home routers as operational relay boxes in order to perform stealth reconnaissance as well as attacks.” Analyst Comment: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. MITRE ATT&CK: [MITRE ATT&CK] Resource Hijacking - T1496 Tags: APT, APT31, Judgment Panda, Zirconium, Home routers StrongPity APT Group Deploys Android Malware for the First Time (published: July 21, 2021) Trend Micro researchers conducted analysis on a malicious APK sample shared on Twitter by MalwareHunterTeam. The shared sample was discussed as being a trojanized version of an Android app offered on the authentic Syrian E-Gov website, potentially via a watering-hole attack. Researchers took this information and pivoted further to analyze the backdoor functionality of the trojanized app (which is no longer being distributed on the official Syrian E-Gov website). Additional samples were identified to be contacting URLs that are identical to or following previous r]]> 2021-07-27T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-apt31-targeting-french-home-routers-multiple-microsoft-vulnerabilities-strongpity-deploys-android-malware-and-more www.secnews.physaphae.fr/article.php?IdArticle=3140285 False Malware,Tool,Vulnerability,Threat APT 31,Uber None SecurityWeek - Security News 2021-07-22T12:54:44+00:00 http://feedproxy.google.com/~r/securityweek/~3/pf76t2WkXFI/china-linked-apt31-abuses-hacked-routers-attacks-france-warns www.secnews.physaphae.fr/article.php?IdArticle=3111878 False Threat APT 31 None Security Affairs - Blog Secu 2021-07-21T18:15:54+00:00 https://securityaffairs.co/wordpress/120392/apt/anssi-warns-apt31-attacks.html?utm_source=rss&utm_medium=rss&utm_campaign=anssi-warns-apt31-attacks www.secnews.physaphae.fr/article.php?IdArticle=3107411 False None APT 31 None Bleeping Computer - Magazine Américain 2021-07-21T10:13:53+00:00 https://www.bleepingcomputer.com/news/security/france-warns-of-apt31-cyberspies-targeting-french-organizations/ www.secnews.physaphae.fr/article.php?IdArticle=3105813 False None APT 31 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence UK and Allies Accuse China for a Pervasive Pattern of Hacking, Breaching Microsoft Exchange Servers (published: July 19, 2021) On July 19th, 2021, the US, the UK, and other global allies jointly accused China in a pattern of aggressive malicious cyber activity. First, they confirmed that Chinese state-backed actors (previously identified under the group name Hafnium) were responsible for gaining access to computer networks around the world via Microsoft Exchange servers. The attacks took place in early 2021, affecting over a quarter of a million servers worldwide. Additionally, APT31 (Judgement Panda) and APT40 (Kryptonite Panda) were attributed to Chinese Ministry of State Security (MSS), The US Department of Justice (DoJ) has indicted four APT40 members, and the Cybersecurity and Infrastructure Security Agency (CISA) shared indicators of compromise of the historic APT40 activity. Analyst Comment: Network defense-in-depth and adherence to information security best practices can assist organizations in reducing the risk. Pay special attention to the patch and vulnerability management, protecting credentials, and continuing network hygiene and monitoring. When possible, enforce the principle of least privilege, use segmentation and strict access control measures for critical data. Organisations can use Anomali Match to perform real time forensic analysis for tracking such attacks. MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Exploitation of Remote Services - T1210 Tags: Hafnium, Judgement Panda, APT31, TEMP.Jumper, APT40, Kryptonite Panda, Zirconium, Leviathan, TEMP.Periscope, Microsoft Exchange, CVE-2021-26857, CVE-2021-26855, CVE-2021-27065, CVE-2021-26858, Government, EU, UK, North America, China NSO’s Spyware Sold to Authoritarian Regimes Used to Target Activists, Politicians and Journalists (published: July 18, 2021) Israeli surveillance company NSO Group supposedly sells spyware to vetted governments bodies to fight crime and terrorism. New research discovered NSO’s tools being used against non-criminal actors, pro-democracy activists and journalists investigating corruption, political opponents and government critics, diplomats, etc. In some cases, the timeline of this surveillance coincided with journalists' arrests and even murders. The main penetration tool used by NSO is malware Pegasus that targets both iPho]]> 2021-07-20T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-china-blamed-for-microsoft-exchange-attacks-israeli-cyber-surveillance-companies-help-oppressive-governments-and-more www.secnews.physaphae.fr/article.php?IdArticle=3100256 False Ransomware,Malware,Tool,Vulnerability,Threat,Studies,Guideline,Industrial APT 31,APT 28,APT 40,APT 41 None Security Affairs - Blog Secu 2021-06-27T11:25:36+00:00 https://securityaffairs.co/wordpress/119448/breaking-news/security-affairs-newsletter-round-320.html?utm_source=rss&utm_medium=rss&utm_campaign=security-affairs-newsletter-round-320 www.secnews.physaphae.fr/article.php?IdArticle=2988080 False Hack,Guideline APT 31 None Security Affairs - Blog Secu 2021-06-20T16:36:59+00:00 https://securityaffairs.co/wordpress/119161/apt/norway-blames-china-apt31.html?utm_source=rss&utm_medium=rss&utm_campaign=norway-blames-china-apt31 www.secnews.physaphae.fr/article.php?IdArticle=2956293 False Hack APT 31 None InfoSecurity Mag - InfoSecurity Magazine 2021-03-19T15:37:00+00:00 https://www.infosecurity-magazine.com:443/news/apt31-cyberattack-finnish/ www.secnews.physaphae.fr/article.php?IdArticle=2506079 False Threat APT 31 None SecurityWeek - Security News APT31, which is generally linked to the Chinese government, was likely behind a cyberspying attack on the information systems of the Nordic country's parliament. ]]> 2021-03-18T18:30:27+00:00 http://feedproxy.google.com/~r/Securityweek/~3/A0vwQYUzY8E/finland-ids-hackers-linked-parliament-spying-attack www.secnews.physaphae.fr/article.php?IdArticle=2501742 False None APT 31 None Security Affairs - Blog Secu 2021-03-18T16:21:29+00:00 https://securityaffairs.co/wordpress/115723/apt/apt31-attack-parliament-finland.html?utm_source=rss&utm_medium=rss&utm_campaign=apt31-attack-parliament-finland www.secnews.physaphae.fr/article.php?IdArticle=2501470 False None APT 31 None Anomali - Firm Blog get signed up today so you can receive curated and summarized cybersecurity intelligence events weekly. The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Emotet, Go, Masslogger, Mustang Panda, OilRig, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact (published: February 26, 2021) Recent reporting indicates that two prolific cybercrime threat groups, CARBON SPIDER and SPRITE SPIDER, have begun targeting ESXi, a hypervisor developed by VMWare to run and manage virtual machines. SPRITE SPIDER uses PyXie's LaZagne module to recover vCenter credentials stored in web browsers and runs Mimikatz to steal credentials from host memory. After authenticating to vCenter, SPRITE SPIDER enables ssh to permit persistent access to ESXi devices. In some cases, they also change the root account password or the host’s ssh keys. Before deploying Defray 777, SPRITE SPIDER’s ransomware of choice, they terminate running VMs to allow the ransomware to encrypt files associated with those VMs. CARBON SPIDER has traditionally targeted companies operating POS devices, with initial access being gained using low-volume phishing campaigns against this sector. But throughout 2020 they were observed shifting focus to “Big Game Hunting” with the introduction of the Darkside Ransomware. CARBON SPIDER gains access to ESXi servers using valid credentials and reportedly also logs in over ssh using the Plink utility to drop the Darkside Recommendation: Both CARBON SPIDER and SPRITE SPIDER likely intend to use ransomware targeting ESXi to inflict greater harm – and hopefully realize larger profits – than traditional ransomware operations against Windows systems. Should these campaigns continue and prove to be profitable, we would expect more threat actors to imitate these activities. MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Hidden Files and Directories - T1158 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] File Deletion - T1107 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] Scheduled Transfer - T1029 | ]]> 2021-03-02T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-apt-groups-cobalt-strike-russia-malware-and-more www.secnews.physaphae.fr/article.php?IdArticle=2422682 False Ransomware,Malware,Threat APT 29,APT 31,APT 28,Wannacry,Wannacry,APT 34 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2021-02-22T21:07:03+00:00 https://threatpost.com/chinese-hackers-hijacked-nsa-hacking-tool/164155/ www.secnews.physaphae.fr/article.php?IdArticle=2384417 False Threat APT 31 None SecurityWeek - Security News Shadow Brokers' “Lost in Translation” leak, cybersecurity firm Check Point says in a new report. ]]> 2021-02-22T15:06:35+00:00 http://feedproxy.google.com/~r/Securityweek/~3/WdkRgZ0AUog/chinese-hackers-cloned-equation-group-exploit-years-shadow-brokers-leak www.secnews.physaphae.fr/article.php?IdArticle=2382803 False Vulnerability,Threat APT 31 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence China’s ‘Hybrid War’: Beijing’s Mass Surveillance of Australia and the World for Secrets and Scandal (published: September 14, 2020) A database containing 2.4 million people has been leaked from a Shenzhen company, Zhenhua Data, believed to have ties to the Chinese intelligence service. The database contains personal information on over 35,000 Australians and prominent figures, and 52,000 Americans. This includes addresses, bank information, birth dates, criminal records, job applications, psychological profiles, and social media. Politicians, lawyers, journalists, military officers, media figures, and Natalie Imbruglia are among the records of Australians contained in the database. While a lot of the information is public, there is also non-public information contributing to claims that China is developing a mass surveillance system. Recommendation: Users should always remain vigilant about the information they are putting out into the public, and avoid posting personal or sensitive information online. Tags: China, spying US Criminal Court Hit by Conti Ransomware; Critical Data at Risk (published: September 11, 2020) The Fourth District Court of Louisiana, part of the US criminal court system, appears to have become the latest victim of the Conti ransomware. The court's website was attacked and used to steal numerous court documents related to defendants, jurors, and witnesses, and then install the Conti ransomware. Evidence of the data theft was posted to the dark web. Analysis of the malware by Emsisoft’s threat analyst, Brett Callow, indicates that the ransomware deployed in the attack was Conti, which has code similarity to another ransomware strain, Ryuk. The Conti group, believed to be behind this ransomware as a service, is sophisticated and due to the fact that they receive a large portion of the ransoms paid, they are motivated to avoid detections and continue to develop advanced attacking tools. This attack also used the Trickbot malware in its exploit chain, similar to that used by Ryuk campaigns. Recommendation: Defense in Depth, including vulnerability remediation and scanning, monitoring, endpoint protection, backups, etc. is key to thwarting increasingly sophisticated attacks. Ransomware attacks are particularly attractive to attackers due to the fact that each successful ransomware attack allows for multiple streams of income. The attackers can not only extort a ransom to decrypt the victim's files (especially in cases where the victim finds they do not have appropriate disaster recovery plans), but they can also monetize the exfiltrated data directly and/or use the data to aid in future attacks. This technique is increasingly used in supply chain compromises to build difficult to detect spearphishing attacks. Tags: conti, ryuk, ransomware ]]> 2020-09-15T15:00:00+00:00 https://www.anomali.com/blog/weekly-threat-briefing-apt-group-malware-ransomware-and-vulnerabilities www.secnews.physaphae.fr/article.php?IdArticle=2103282 False Ransomware,Malware,Tool,Vulnerability,Threat,Conference APT 35,APT 31,APT 28 3.0000000000000000 Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2017-03-28T21:12:08+00:00 https://threatpost.com/microsoft-offers-analysis-of-zero-day-being-exploited-by-zirconium-group/124600/ www.secnews.physaphae.fr/article.php?IdArticle=348438 False None APT 31 None Bleeping Computer - Magazine Américain 2017-03-27T16:55:51+00:00 https://www.bleepingcomputer.com/news/security/microsoft-quietly-patched-windows-zero-day-used-in-attacks-by-zirconium-group/ www.secnews.physaphae.fr/article.php?IdArticle=347622 False None APT 31 None